pam_ldap.so use_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
The difference is user_unknown=ignore.
The idea is to fall back to pam_ccreds if, and only if, the LDAP server
is down. If the network is broken users should be able to login.
I would prefer Configuration 1.
Behaviour with Configuration 1:
If nslcd is down, configuration 1 behaves as expected. Authentication
is unavailable, so pam_ldap.so is ignored, and pam_ccreds is used.
If nslcd is up, but the LDAP server is down, configuration 1 behaves as
if the user doesn't exist. This means that if the LDAP server is down,
pam_ccreds is not used. This is a problem.
This seems to be because of common/nslcd-prot.h, lines 376 to 379:
if (tmpint32 != (int32_t)NSLCD_RESULT_BEGIN) \
{ \
ERROR_OUT_NOSUCCESS(fp); \
}
which triggers PAM_USER_UNKNOWN in pam/common.h, line 69.
Behaviour with Configuration 2:
Configuration 2 also has it's pitfalls. And that's with deleted users.
Now a user that used to exist, and is in pam_ccreds, that gets deleted,
will be allowed to login even when the LDAP server is up.
nslcd returns "user not found" (correctly). pam_ldap.so ignores that
error message and passes the user on the pam_ccreds.
Tested with old versions 0.7.16 and 0.8.12 and new version 0.9.4.
What I'm thinking of doing:
Test for NSLCD_RESULT_END without first NSLCD_RESULT_BEGIN, and if
this is found, return ERROR_OUT_NOSUCCESS.
If no NSLCD_RESULT_BEGIN and no NSLCD_RESULT_END, return
ERROR_OUT_READERROR.
Can I just change common/nslcd-prot.h:
#define READ_RESPONSE_CODE(fp) \
READ(fp, &tmpint32, sizeof(int32_t)); \
tmpint32 = ntohl(tmpint32); \
if (tmpint32 != (int32_t)NSLCD_RESULT_END) \
{ \
ERROR_OUT_NOSUCCESS(fp); \
}
if (tmpint32 != (int32_t)NSLCD_RESULT_BEGIN) \
{ \
ERROR_OUT_READERROR(fp); \
}
or will this break for multiple matches?
Berend
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Query about authinfo_unavail and user_unknown behaviour,
Berend De Schouwer

This archive was generated using
mhonarc
on Mon Jun 01 04:04:32 2020.
If you have any questions about these pages, please contact
listmaster [at]
arthurdejong.org.
Please see the mailing list policy and disclaimer.